← All posts
6 min read

What Cybersecurity Protects: Confidentiality, Integrity, and Availability

#technology#cybersecurity#security#risk-management
📑 On this page

Cybersecurity is sometimes pictured as antivirus software stopping a mysterious attacker. Real security is broader.

Organizations depend on information and systems to make decisions, deliver services, communicate, receive money, provide care, and preserve trust.

Cybersecurity manages risks to information and digital systems so they remain appropriately private, correct, and available.

Security is not one product. It is an ongoing combination of architecture, configuration, identity, software quality, monitoring, human judgment, incident response, and recovery.

A concrete example: a hospital record

A medical record needs several kinds of protection:

  • An unauthorized person must not read it.
  • An attacker must not silently change a medication.
  • A doctor must be able to access it during care.
  • Important access and changes should be traceable.
  • The hospital must recover it after failure.

Encrypting the record helps privacy but does not guarantee that authorized clinicians can reach it during an outage. Backups help recovery but do not prevent an employee from viewing records without a valid reason.

Security goals must be considered together.

Confidentiality

Confidentiality means information is disclosed only to authorized people, systems, and processes.

Controls include:

  • Authentication
  • Access permissions
  • Encryption
  • Network isolation
  • Device locks
  • Data classification
  • Secure disposal

Confidentiality is contextual. A public press release should be widely available, while its unpublished draft may be restricted.

Protecting everything identically wastes effort and can make important work difficult. Classification helps match controls to sensitivity.

Integrity

Integrity means data and systems remain accurate, complete, and changed only through authorized processes.

Threats to integrity include:

  • Malicious modification
  • Software bugs
  • Failed transfers
  • Conflicting updates
  • Accidental deletion
  • Incorrect configuration

Controls include checksums, digital signatures, database constraints, transactions, version history, code review, and audit logs.

Integrity is not only preventing change. Legitimate updates must still occur, and systems should preserve who changed what, when, and under which authority.

Availability

Availability means authorized users can access required systems and data when needed.

Availability can be harmed by:

  • Hardware failure
  • Denial-of-service attacks
  • Ransomware
  • Expired certificates
  • Network outages
  • Bad deployments
  • Capacity exhaustion
  • Lost credentials

Redundancy, monitoring, tested backups, graceful degradation, capacity limits, and practiced recovery improve availability.

A system that protects data by making it permanently inaccessible has not met its purpose.

Other useful security properties

The confidentiality, integrity, and availability triad is a starting model, not the entire field.

Additional properties include:

  • Authenticity: Is an identity, message, or artifact genuine?
  • Accountability: Can actions be connected to responsible identities?
  • Non-repudiation: Is there strong evidence that a party performed an action?
  • Privacy: Is personal data collected and used fairly and lawfully?
  • Safety: Could digital failure cause physical harm?
  • Resilience: Can the service absorb disruption and recover?

Which properties matter most depends on the system.

Assets are what have value

Security begins by identifying assets:

  • Customer data
  • Credentials
  • Source code
  • Money
  • Service availability
  • Business plans
  • Safety controls
  • Reputation
  • Staff time

An asset does not need to be a file. The ability to send trusted email from a company domain is valuable. So is the public's confidence that account balances are correct.

Without knowing what matters, a team cannot prioritize meaningful protection.

Security follows business and human impact

The same technical failure can have different consequences.

A one-hour outage in a hobby photo gallery is inconvenient. A one-hour outage in an emergency dispatch system can threaten lives.

Ask:

  • Who could be harmed?
  • What decisions depend on this data?
  • How much downtime is tolerable?
  • What legal or contractual obligations apply?
  • What would be difficult to recover?

Security is strongest when controls follow real impact rather than a generic checklist.

Prevention is not enough

No defense blocks every failure.

A mature security capability includes:

  1. Prevent: Reduce opportunities for harm.
  2. Detect: Notice suspicious or incorrect behavior.
  3. Respond: Contain and investigate the event.
  4. Recover: Restore trustworthy service.
  5. Learn: Improve the system after the incident.

A locked door is useful, but an alarm, incident plan, and inventory of what was inside address the possibility that the lock fails.

Defense in depth

Defense in depth uses several independent layers.

For an employee account:

  • A unique password reduces credential guessing and reuse.
  • MFA limits damage from password theft.
  • Least-privilege permissions restrict what the account can do.
  • Unusual-login monitoring detects misuse.
  • Session revocation helps contain compromise.
  • Backups support recovery from destructive actions.

Layers should address different failure modes. Installing three products that all depend on the same configuration is not necessarily three independent defenses.

Least privilege

Least privilege gives people and systems only the access needed for their current role.

A reporting service may read invoices but not delete them. A support employee may view account status without seeing payment details.

Benefits include:

  • Smaller damage from compromised accounts
  • Fewer accidental changes
  • Clearer responsibility
  • Easier review

Permissions require maintenance as roles change. Access that was justified two years ago may no longer be necessary.

Security boundaries

A boundary separates trust levels.

Examples include:

  • A login screen
  • An API accepting internet requests
  • A network firewall
  • A mobile-app permission
  • A process sandbox
  • A code-signing system

At a boundary, validate identity, data, authorization, and assumptions.

"Internal" is not a security property. Internal systems can be compromised, misconfigured, or reached through an authorized but hijacked account.

Security and usability interact

Controls that are confusing or obstruct essential work encourage unsafe workarounds.

Examples:

  • Password rules that force frequent predictable changes
  • Approval processes so slow that employees share accounts
  • Alerts so noisy that everyone ignores them
  • Backups that exist but are too complex to restore

Usable security makes the safe path understandable and practical.

This does not mean removing necessary controls. It means designing them around real human behavior and workflow.

Security is continuous

Systems change:

  • New features add data and permissions.
  • Dependencies discover vulnerabilities.
  • Employees join and leave.
  • Attack techniques evolve.
  • Old backups and devices remain.
  • Business impact grows.

Security therefore includes inventories, updates, access reviews, exercises, monitoring, and reassessment.

A secure design can become unsafe through neglect even when no code changes.

Knowledge check

  1. How do confidentiality, integrity, and availability differ?
  2. Why is encrypting a medical record not a complete security solution?
  3. What is an asset in security analysis?
  4. Why does defense in depth need independent layers?
  5. How can poor usability weaken a security control?

The one idea to remember

Cybersecurity protects the secrecy, correctness, and dependable use of valuable systems and information. Effective protection combines prevention with detection, response, recovery, and continuous attention to real human impact.